How to Monitor Linux Server Security with Osquery

Osquery is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac/OS X systems, built by Facebook. It is a simple and easy-to-use operating system explorer.

It combines a number of tools which perform low-level OS analytics and monitoring; these tools reveal an operating system as a high-performance relational database such as MySQL/MariaDB, PostgreSQL and more, where OS concepts are represented in tabular form, thus allowing users to employ SQL commands to carry out system monitoring and analytics.

Osquery use a simple plugin and extensions API to implement SQL tables, there is a collection of tables in existence ready for use, and more are being written. Some tables can only be found on a specific operating system, for instance, you only find the kernel_modules table on Linux systems.

Additionally, you can run queries to monitor and analyze OS state on a single host via the osqueryi shell, or on several hosts on a network via a scheduler or execute them from any of your custom applications using osquery Thrift APIs.

How to Install Osquery in Linux

The Osquery can be installed from the official repository using apt yum or dnf package management tool on your respective Linux distribution as shown.

On Debian/Ubuntu

$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
$ sudo apt-key adv --keyserver --recv-keys $OSQUERY_KEY
$ sudo add-apt-repository 'deb [arch=amd64] deb main'
$ sudo apt update
$ sudo apt install osquery


$ curl -L | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ sudo yum-config-manager --add-repo
$ sudo yum-config-manager --enable osquery-s3-rpm-repo
$ sudo yum install osquery

On Fedora 22+

$ curl -L | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ dnf config-manager --add-repo --add-repo
$ sudo dnf config-manager --set-enabled osquery-s3-rpm
$ sudo dnf install osquery

How to Monitor and Analyze Linux Using Osquery

Once you have successfully installed Osquery on your system, launch the osqueryi shell to start querying the state of your OS as shown.

$ osqueryi

Using a virtual database. Need help, type '.help'

To get a summarized Linux system information run the following command.

osquery> SELECT  * FROM system_info;
Get Linux System Info
Get Linux System Info

To get a well formated list of all users on the Linux system, run the following query.

osquery> SELECT * FROM users;
List of All Linux Users
List of All Linux Users

To get a list of all Linux kernel modules and their status, run the following query.

osquery> SELECT * FROM kernel_modules;
List All Kernel Modules in Linux
List All Kernel Modules in Linux

To get a list of all installed RPM packages on CentOS, RHEL and Fedora, run the following query.

osquery> .all rpm_packages;
List All Installed RPM Packages
List All Installed RPM Packages

To get a informatin about running Linux processes, run the following query.

osquery> SELECT DISTINCT, listening_ports.port, FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '';
List Linux Processes Information
List Linux Processes Information

If you are running osquery on a desktop and have Firefox or Chrome installed, you can list all your add-ons using the following query.

osquery> .all firefox_addons;
osquery> .all  chrome_extensions;

To display a list of all implemented tables in Linux, use the .tables command as shown.

osquery> .tables;	#list all implemented tables
osquery> .help; 	#view help message

Osquery also provides file integrity monitoring (FIM), and process and socket auditing features and more, thus it is an intrusion detection tool, but this calls for certain configurations before you can deploy it for such a purpose. You can find more information from the Osquery Github repository.

Tutorial Feedback...
Was this article helpful? If you don't find this article helpful or found some outdated info, issue or a typo, do post your valuable feedback or suggestions in the comments to help improve this article...

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

4 thoughts on “How to Monitor Linux Server Security with Osquery”

  1. The Fedora install has two problems:

    # dnf config-manager --add-repo --add-repo

    Should be

    # dnf config-manager --add-repo


    # sudo dnf config-manager --set-enabled osquery-s3-rpm

    Should be

    # sudo dnf config-manager --set-enabled osquery-s3-rpm-repo

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.